17 April 2017

Cyber terrorism: how the security technology community can help


Cyber terrorism: how the security technology community can help

Over the past few years, there's been a lot of talk about nations state attackers and the impeding reality of Cyberwar. There's been a lot less talk about protecting against cyber terrorism, although it's an area ripe for the kind of technological innovation that security vendors can provide. It's an area that they should be tracking closely.

Cyber Terrorist groups are traditionally considered to be low-tech organizations, with very basic skills as it relates to cyber and even IT in general. However, as some of those organizations grow and assume a semi-military structure and discipline, some good examples include ISIS, El-Qaeda and Hezbollah, they meet a growing need to develop their IT and cyber skills, for multiple reasons:

1. First and foremost - to streamline their internal operations; But also to:

2. Better leverage online resources for propaganda and recruitment

3. Maintain operational security against foreign intelligence collection efforts

Some of those organizations have become extremely proficient in leveraging social media and various messaging platforms to serve their goals.

As it relates to intelligence collection from terror organizations or from individuals seen as engaging in terrorist related activity, there has and still is an ongoing opportunity for vendors to develop, improve, assimilate and maintain cyber intelligence collection and Lawful Interception (LI) systems, and specifically as it relates to gaining access to suspected devices and networks, as well as the analysis of data captured from those devices and from captured network traffic to extract various artifacts that are of interest (e.g. data files, voice, images, location, connection to other individuals or organizations etc.).

While none of the above immediately contribute to any sort of offensive cyber capabilities, but as those terror organizations become more established, they also look to expand their arsenal of asymmetric weapons and tactics, meaning offensive tactics that allow an organization to inflict significant damage to its adversaries, that is far beyond what it can likely inflict in conventional military confrontations. In the case of terror organizations those adversaries are typically nation-states, and in some cases even superpowers. This puts cyber weapons as an alternative in the list of options of those organizations, especially as it relates to targeting systems and facilities that, when damaged, have the potential to inflict significant physical or moral damage. Those can include critical infrastructure (energy production and transmission, communication, etc.). 

The most significant resource most terror organizations lack, though, to carry out offensive cyber operations, is a talent pool. Setting up a cyber operation, initially entails just a couple of individuals with computers, and if those individuals now what they are doing, than over a relatively short amount of time, they can establish a high impact cyber operation.

However, resulting from nation-states continued effort to scale up their offensive cyber operations, we can expect this to change in the near future, as we're seeing significant proliferation of talent and knowhow from nation state actors into the private sector, including government contractors but also well into cybercrime organizations. In some cases cybercrime

and private industrial espionage groups have developed their TTPs and operational security to a level that makes them not less sophisticated than some of the nation state actors.

While there is still a gap between joining a cybercrime or industrial espionage group, that in most cases is driven by personal gain, and joining a terrorist group, that in most cases is driven, at least in part, by ideology, the boundaries between the two become grayer and grayer every day, especially as it relates to working for or being recruited by some of the more well established terror groups. We also see the growing impact of radicalization processes on leading people into sympathizing with the goals of those organizations. As nation states continue to scale up massive cyber operations and train rapidly growing groups of individuals to carry out cyber-attacks and build cyber weapons, we can expect to see more of this talent proliferation into terror organizations.

One of the areas for nation states to focus more on protecting is critical infrastructure, that will be the most likely target for terror groups. Currently, government regulation, audit, guidance and active protection are partial and lacking in terms of level of details and coverage, in most nation states, and almost non existent in other nation states. This will be the soft belly of any technologically developed nation state, and a significant area for vendors to contribute to.

Specifically, The security practices of OT networks are going through a similar process to what happened in the IT networks 10-15 years ago. Traditionally, the security of most OT networks relies on segregating them from the internal IT networks, and obviously from external networks, mostly through firewalls, and in many cases uni-directional traffic devices, that would essentiallyallow traffic to go from the OT network out, but not in.

But this industry is realizing, just like the IT security industry realized a long time ago, that relying solely on perimeter defense, really doesn't present a significant enough obstacle to anyhalf-sophisticated attacker, and many attack tools and techniques would allow an attacker to gain access into an air-gapped or segregated network. Another challenge is that in cases where most of the defense relies on the perimeter, once an attacker is in, there's very little the Security Operation Center can actually detect or even see, let alone do in response to contain an incident, in that OT environment, and the attack gets detected only after the attacker actually starts causing some visible damage.

For example, the Shamoon malware, which essentially is a wiper, that is rather common in the Persian Gulf and Saudi Arabia, launched against multiple manufacturing and production networks in that area, and is attributed by some to Iranian nation-state cyber operations – can be rather easily caught and disrupted, as it's dumping credentials, laterally moving in the network environment with psExec, in time to respond to it before it actually reaches the stage when it actually causes damage, IF the organization's SOC has adequate visibility and detection capabilities in those targeted networks.

I think one of the challenges that enterprises operating OT networks will broadly face in the near future, is how to integrate the OT environment into a unified enterprise SOC, where the analyst talent and experience is, so even in a post breach situation, the SOC is able to have visibility into the environment, detect and analyst the incident.

Low hanging fruits that can already be implemented by enterprises – collecting and analyzing data from HMI supervisory systems & network protocols into the unified SOC, detecting and hunting for anomalies in that data, that in many cases are already standardized or based on standardized operating systems, and that should be used as a first stage. As new equipment is integrated into the environment, and vendors are gradually adopting more open standards and allow better visibility into the various devices activities, organizations will leverage those capabilities to further enrich the data flowing into the unified SOC.

No comments: